Package: bind9 Version: 1:9.10.3.dfsg.P4-8 Severity: important Hi,
bind9 in unstable does not run at all: Apr 14 10:05:32 fan named[8795]: starting BIND 9.10.3-P4-Debian <id:ebd72b3> -f -u bind -t /var/local/chroot/bind Apr 14 10:05:32 fan named[8795]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE' Apr 14 10:05:32 fan named[8795]: ---------------------------------------------------- Apr 14 10:05:32 fan named[8795]: BIND 9 is maintained by Internet Systems Consortium, Apr 14 10:05:32 fan named[8795]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Apr 14 10:05:32 fan named[8795]: corporation. Support and training for BIND 9 are Apr 14 10:05:32 fan named[8795]: available at https://www.isc.org/support Apr 14 10:05:32 fan named[8795]: ---------------------------------------------------- Apr 14 10:05:32 fan named[8795]: adjusted limit on open files from 4096 to 1048576 Apr 14 10:05:32 fan named[8795]: found 6 CPUs, using 6 worker threads Apr 14 10:05:32 fan named[8795]: using 3 UDP listeners per interface Apr 14 10:05:32 fan named[8795]: using up to 4096 sockets Apr 14 10:05:32 fan named[8795]: ENGINE_by_id failed (crypto failure) Apr 14 10:05:32 fan named[8795]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233: Apr 14 10:05:32 fan named[8795]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467: Apr 14 10:05:32 fan named[8795]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost Apr 14 10:05:32 fan named[8795]: initializing DST: crypto failure Apr 14 10:05:32 fan named[8795]: exiting (due to fatal error) This is a rather simple setup - recursor for a handful of VMs, a few local zones, no DNSSEC, next to no load. Going back to bind9 from jessie fixes the issue for me. Greetings Marc -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-rc5+ (SMP w/6 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bind9 depends on: ii adduser 3.114 ii bind9utils 1:9.10.3.dfsg.P4-8 ii debconf [debconf-2.0] 1.5.59 ii init-system-helpers 1.29 ii libbind9-140 1:9.10.3.dfsg.P4-8 ii libc6 2.22-6 ii libcap2 1:2.24-12 ii libcomerr2 1.43~WIP.2016.03.15-2 ii libdns162 1:9.10.3.dfsg.P4-8 ii libgeoip1 1.6.9-1 ii libgssapi-krb5-2 1.13.2+dfsg-5 ii libirs141 1:9.10.3.dfsg.P4-7 ii libisc160 1:9.10.3.dfsg.P4-8 ii libisccc140 1:9.10.3.dfsg.P4-8 ii libisccfg140 1:9.10.3.dfsg.P4-8 ii libk5crypto3 1.13.2+dfsg-5 ii libkrb5-3 1.13.2+dfsg-5 ii liblwres141 1:9.10.3.dfsg.P4-8 ii libssl1.0.2 1.0.2g-1 ii libxml2 2.9.3+dfsg1-1 ii lsb-base 9.20160110 ii net-tools 1.60+git20150829.73cef8a-2 ii netbase 5.3 bind9 recommends no packages. Versions of packages bind9 suggests: ii bind9-doc 1:9.10.3.dfsg.P4-7 ii dnsutils 1:9.10.3.dfsg.P4-8 pn resolvconf <none> pn ufw <none> -- Configuration Files: /etc/bind/named.conf.local changed: // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; include "/etc/bind/fan.keys"; controls { inet ::1 allow { ::1; } keys { fan-rndc; }; }; acl ka51-nets { 127.0.0.1; 192.168.18.0/24; 192.168.29.0/24; 192.168.251.0/24; 192.168.181.0/24; 192.168.182.0/24; 192.168.221.0/24; ::1; 2a01:238:4071:3200::/56; }; acl transfer-ips { 127.0.0.1; ::1; }; include "/etc/bind/named.conf.logging"; include "/etc/bind/conf/zones.conf"; /etc/bind/named.conf.options changed: options { directory "/var/cache/bind"; session-keyfile "/run/named/session.key"; pid-file "/run/named/named.pid"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 192.168.181.53; 192.168.251.53; 2a01:238:4071:328e::35:100; 2a01:238:4071:3281::35:100; }; forward only; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-query { ka51-nets; }; allow-recursion { ka51-nets; }; allow-transfer { transfer-ips; }; }; -- debconf information: bind9/different-configuration-file: bind9/start-as-user: bind bind9/run-resolvconf: true
